There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.

Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.

"We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic. In our proof-of-concept demo, this attack currently takes less than two days, using malicious Javascript to generate traffic," said Bhargavan and Leurent. They are expected to present the full paper in October at the 23rd ACM Conference on Computer and Communications Security.

Sweet32 is a collision attack against triple-DES (3DES) and Blowfish in cipher block chaining (CBC) mode. In CBC mode, input collisions lead to XOR of two message blocks. When lots of message blocks are encrypted with the same key in this mode, collisions become more likely, which leads to getting the contents of two different message blocks as output. Attackers can target a victim's authentication cookie by luring them to a malicious site and injecting JavaScript into the victim's browser. JavaScript repeatedly sends HTTP queries to a site the victim is logged into, and each request will include the authentication cookie.

The researchers found that if the attackers send at least 232 queries and capture all the requests, they will eventually see a collision and be able to recover the contents of the cookie.

"An important requirement for the attack is to send a large number of requests in the same TLS connection. Therefore, we need to find client and servers that not only negotiate the use of Triple-DES, but also exchange a large number of HTTP request in the same TLS connection (without rekeying). This is possible using a persistent HTTP connection, as defined in HTTP/1.1 (Keep-Alive). On the client side, all browsers that we tested (Firefox, Chrome, Opera) will reuse a TLS connection as long as the server keeps it open," the researchers said.

Blowfish and 3DES are still supported in TLS, IPsec, SSH, and other protocols and well-known sites such as Nasdaq.com and Walmart.com still support these legacy ciphers. The majority of OpenVPN connections and between 1 percent and 2 percent of the Internet's traffic may be susceptible to Sweet32, the researchers estimated. The implementation used in OpenSSL is also affected, although the OpenSSL maintainers claimed the attack did not expose a critical weakness.

OpenVPN 2.3.12 comes with a warning about Blowfish weaknesses and secure configuration advice for dealing with Sweet32. OpenSSL 1.0.2 and 1.0.1 will move 3DES from the "HIGH" keyword to "MEDIUM" keyword and support it by default, the newer OpenSSL 1.1.0 will no longer compile the cipher as part of the default build. Administrators wanting to use the legacy cipher in OpenSSL 1.1.0 will need to use the ‘enable-weak-ssl-ciphers' configuration option, and even then, the cipher is allowed only in the ‘MEDIUM' keyword. Major browsers makers are making changes which would prioritize more secure ciphers over 3DES.

The techniques and principles used to craft the attack are well-understood in cryptographic circles. The researchers reduced the complexity and time needed to execute the attack.

Just because the attack is possible doesn't mean it is particularly easy to carry out. For Sweet32, the attacker needs to be able to both monitor traffic passing between the end user and a vulnerable websites and control JavaScript on a webpage loaded by the user's browser. It would take about 38 hours to collect hundreds of gigabytes of data necessary to decrypt the authentication cookie. This attack scenario is very much a laboratory scenario, but it's still a good reminder that eventually these attacks will become easier to carry out.

Enterprises and developers should treat 3DES and Blowfish in the same way they treat RC4: stop using it. The complexity of Sweet32 is comparable to recently developed attacks against RC4, the researchers said. Researchers developing more ways to attack RC4 sped up its deprecation. Major web browsers no longer support RC4, and major websites such as Gmail have also entirely deprecated the cipher.

Developers should stop using legacy 64-bit block-ciphers altogether. In the case of Sweet32, that means disabling the Triple DES symmetric key cipher in TLS and retiring Blowfish in OpenVPN. Ciphers with larger block sizes, such as AES, are immune from Sweet32. Server administrators can also disable shorter ciphers entirely. This would affect a small number of users who are still relying on older hardware and software.

There is no need to wait till the attackers are easy and cheap to execute to get rid of weak and vulnerable cryptographic ciphers. Just as there is a concerted effort to ditch RC4, other 64-bit ciphers also need to go.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.